What exactly did he discover?

The researcher first noticed that the malware was trying to contact a specific web address every time it infected a new computer. But the web address it was trying to contact – a long jumble of letters – had not been registered.